RE: How to choose an IDS/FW MSS provider

----Original Message-----
From: Adam Powers [mailto:apowers@lancope.com] 
Sent: Wednesday, March 16, 2005 12:06 AM
To: Chris Harrington; 'David W. Goodrum'; 'Stephane'
Cc: 'Brady, Rick'; 'Melih Kirkgöz ' (Koç.net); focus-ids@securityfocus.com
Subject: Re: How to choose an IDS/FW MSS provider


> I'm sorry, what "old hat" technology are you referring to? Tippingpoint?
> Intruvert? Proventia G? These are "old hat"? How so? What percentage of
market share denotes "old hat"? >Your reasoning says < 10%.

When I say "old hat" I am not disparaging the technology or vendors in any
way. I am saying that IPS at the perimeter has and is being done by an
increasing number of vendors. It's common place and there is not a lot more
that can be done there. I don?t think IPS is going to curl up and die at the
perimeter...where else can it go besides deeper inside the network?

> I'm also really confused as to how you think we're going to deploy
> (affordable) IPS technology at the edge? What is the per-port cost of
current (successful) IPS
> technologies? If I have 30,000 ports in my enterprise, what will it cost me
to "protect the core from 
> the distribution layer"?

What is the per-port for current IPS technologies for 30k ports? A lot I am
sure....prohibitive from a cost perspective for many. What about IDS / IPS
functionality on the switch itself? There are at least 2 vendors that I am
aware of who are talking with switch manufacturers on this very topic. If
this functionality comes in the form of an expansion card or firmware
upgrade for a switch it would be more cost effective than current
technologies. 

As far as protecting the core from distribution, there is a reason that
vendors are coming out with 5 gig and faster boxes and its not to protect a
DS-3 connection :)

> I'm not certain what school of IPS deployment you are from but it's
definitely not the "school of reality".

I am looking forward. Read my post closely, I never said this is what is
happening now. I said the "next frontier". 

> Or perhaps you know of some new edge technology:
> 1. that's affordable
> 2. that's deployable on the workstation
> 3. that's deployable on the switch fabric (enterprise wide) 
> 4. that I/we can't comprehend (perhaps from Nitro Security?)
>
> If #3 is the answer, please explain / describe / enlighten.

Lol...I think you need to re-read my post. I never claimed there was this
breakthrough technology. More than once I made reference to where I think
things *will* be going, not where they are today. I would love to tell you
that there is this great technology that will protect your 30k switches for
$999.95. We all know that is not the case, yet. 

IPS / IDS down to the switch port is where I see this heading. That's my
opinion and you do not have to agree with it which you apparently do not.
It's more interesting if you don't :)

--Chris

Christopher Harrington, CISSP
Director, Nitro Threat Analysis Center
nitrosecurity
o: 603.766.8160 x25
c: 603.969.0592
e: charrington@nitrosecurity.com
w: www.nitrosecurity.com
Skype: chrisharrington



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------